• Trojans (Labs contain several ways to make Trojans)
    • Virus (Labs contain ways to disable most things) JPS Virus Maker
    • Virus Analysis – IDA
    • Virus Analysis - OllyDbg
    • Trojan Analysis – TCP View
    • Trojan Analysis – Autoruns
    • TCP Connections – CurrPorts
    • ClamWin – Remove Malware




Use IDA to view policies View, enable, clear policies

From windows box

A.      Run IDA – The IDA main window appears, along with the “Select file to disassemble” window

B.       The IDA Pro Analysis window appears after the analysis is complete, as shown in the screenshot. Go to View --> Graphs and click Flow Chart from menu bar

C.      A Graph window appears with the flow. You may zoom in to view clearly.

D.      Close the Graph window and go to View --> Graphs and click Function Calls from menu bar

E.       Window showing call flow appears; zoom in for a better view. Close the WinGraph32 Call flow window after completing the analysis.

F.       Click Windows on the menu bar, and select Hex View-1.

G.      The Hex Value of the Virus is displayed

H.      To view the structure of the virus, navigate to Windows --> Structures


Use IDA to view policies View, enable, clear policies

From windows box

A.      Open OllyDbg – Open target file

B.      The output appears in a window named CPU - main threadmodule ntdll,

C.      Choose View in menu bar, and choose Log.

D.      A window named Log data appears in OllyDbg (Log data), displaying the log details

E.       Choose View in the menu bar, and then choose Executable module. To view Executable modules in the virus file

F.       Choose View in menu bar, and then choose Memory. A window appears in OllyDbg (Memory map), displaying all memory mappings

G.     Choose View in menu bar, and then choose Threads. A window appears in OllyDbg (Threads), displaying all threads


Use TCPView to view details, such as ProcessProcessIdProtocolLocal addressLocal PortRemote Address, and Remote Port.

From windows box

A.      Open TCPView – Will show all local running processes etc, can sort columns by clicking

Use Autoruns to view all startup processes

From windows box

A.      Open Autoruns – Will show all local programs at startup

B.       Autoruns displays all the processes, dll’s, services,

C.      Click the Explorer tab to view the explorer applications that run automatically at system startup.

D.      Clicking the Services tab displays all the services that run automatically at system startup

E.       Click the Drivers tab to view all the applications’ drivers that run automatically at system startup. For example, here 3ware is selected. Clicking this driver displays the size, version and time at which it was run automatically at system startup (for the first time).

F.       Click Known DLLs tab to view all the known DLLs that start automatically at system startup.


Use CurrPorts  to view open connections currently connected

From windows box

A.      Open CurrPorts – Look for processes that are connected to remote ports (typically .exe’s)

B.      You can view the properties of the process by right-clicking on the process, and clicking Properties in the Context menu

C.      The Properties window appears displaying information related to the process, such as the name of the process, process ID, Remote Address, Process Path, Remote Host name, and so on.


Use Clamwin to find virus \ trojan

From windows box

A.      Open Clamwin - click Memory Scan (third icon from left) icon form the menu bar

B.       In the ClamWin main window, select the drive to be scanned (here C:) and click Scan

C.      Scans should reveal any issues and where they are